feat: Zenzic v0.5.0a4 — The Hardened Sentinel#33
Merged
PythonWoods-Dev merged 16 commits intomainfrom Apr 8, 2026
Merged
Conversation
…T-002/ZRT-004) - ResolutionContext for source-file-relative href resolution - _assert_regex_canary(): SIGALRM watchdog (100ms) at engine construction - Fix B904: raise PluginContractError from None - Conditional shield import guard + @_shield_skip markers in test suite - Add arch/vsm_engine.md and internal/security/shattered_mirror_report.md to mkdocs nav (doc files already on disk; nav entries prevent ORPHAN warnings in pre-commit self-check)
…2 (ZRT-001/ZRT-003) - SecurityFinding gains col_start + match_text for surgical caret rendering - _map_shield_to_finding(): sole authorised Shield→reporter bridge (Mutation Gate target) - _obfuscate_secret(): partial redaction (AKIA****1234) safe for CI logs - SentinelReporter: dedicated red breach panels pre-section (Q2); render_quiet one-liner (Q3) - Remove early-exit hard-stop; breach findings flow through _to_findings() pipeline - Exit 2 decided post-render by CLI runner, not scanner (Q3 / Obligation 4)
…re fix (Commit 3) Mutation Gate — manual verification (The Sentinel's Trial): KILLED L'Invisibile scanner.py::_map_shield_to_finding severity=warning → FAIL KILLED L'Amnesico reporter.py::_obfuscate_secret return raw → FAIL KILLED Il Silenziatore scanner.py::_map_shield_to_finding return None → FAIL Test changes: - TestShieldReportingIntegrity: 3 mutant-killer tests (28 total, all green) - Promote reporter imports to module level (fix mutmut static analysis) Infrastructure changes: - noxfile.py: mutation session targets rules/shield/reporter; non-editable install - pyproject.toml: correct mutmut v3 config keys (pytest_add_cli_args_test_selection, pytest_add_cli_args); expand paths_to_mutate to include shield + reporter; relative_files=true for coverage path alignment - mutmut_pytest.ini: isolated pytest config for mutation runs (prepend + pythonpath=src) Known gap: cli.py findings.append silencer not covered (integration test deferred)
…ocs (Commit 4) CHANGELOG [0.5.0a4] additions: - Z-SEC-002: breach panel, _obfuscate_secret, _map_shield_to_finding, post-render Exit 2 - Z-TEST-003: TestShieldReportingIntegrity — The Sentinel's Trial manual results (28 tests, all green; mutmut v3 editable-install waiver documented) Bilingual parity — security analysis doc (EN + IT): - Section 6 regression table: added TestShieldReportingIntegrity (Z-SEC-002) Architecture docs (untracked -> committed): - docs/arch/vsm_engine.md + docs/it/arch/vsm_engine.md - docs/internal/security/shattered_mirror_report.md + docs/it/ mirror CONTRIBUTING.md: - Obligation 4: correct Silencer target (_map_shield_to_finding returns None); correct command (no posargs); add mutmut_pytest.ini note; manual verification workflow - Mutation targets: rules.py + shield.py + reporter.py Infrastructure: - .gitignore: negation rule for mutmut_pytest.ini (comment on separate line) - mutmut_pytest.ini: SPDX headers added; tracked in repo Self-check: just check -> ZERO errors (116 files, all clean)
CLI - Add ok_message parameter to SentinelReporter.render() so each individual check command prints a specific success verdict instead of the generic "All checks passed" message. - Extract _count_docs_assets() helper to eliminate duplicated file-counting logic across all six check commands. - All six check commands (links, orphans, snippets, references, assets, placeholders) now use SentinelReporter with a dedicated ok_message; check-all keeps the default. - Add snippet fallback in reporter: when the source file is unreadable but source_line is available, render a single-line snippet instead of silently skipping it. Docs - Rewrite Sentinel in Action / Sentinel in Azione homepage section as pure HTML to prevent Python-Markdown from wrapping nested divs in <p> tags or escaping them as code blocks. - Add .zz-sentinel-demo CSS component with dark/light mode support for branded mini-panel previews (gutter reporter, shield, grouped by file, severity summary). - Add .zz-sentinel-section layout CSS for card containment and lateral margins. - Replace demo link references with plain text to avoid Zenzic false positives from Markdown-like syntax inside HTML spans. Tests - Update all ok-assertions to match new per-command messages. - Fix visual test expectations (gutter counting, LINK_ERROR badge).
find_repo_root gains a keyword-only fallback_to_cwd=False parameter. When True, the function returns cwd instead of raising RuntimeError — enabling zenzic init to run in a brand-new directory with no .git or zenzic.toml present (Genesis Fallback). Only the init command passes fallback_to_cwd=True; all other command entry-points retain the strict check. Three new regression tests added (test_scanner + test_cli).
…ranslations - ADR 003 (EN + IT): Root Discovery Protocol with Genesis Fallback amendment - CONTRIBUTING.it.md: PSR section + rewrite of 2 rough machine-translated sections - mkdocs.yml: 5 new nav_translations for the Italian locale (Decisioni Architetturali, ADR 003, Gap Architetturali, Guida al Contributo, Scrivere Regole Plugin) - PATH_TRAVERSAL bug in Italian ADR caught and fixed by dogfood self-check
- Add Root Discovery Protocol (RDP) section to CONTRIBUTING.md extra.css: - CSS formatter pass: remove alignment padding in custom properties, normalise combinator spacing (> +), padding-left 5ch→2ch, text-align right→left on gutter line numbers, remove line-height 1.05
…, SVG screenshots - checks.md (EN+IT): Blood Sentinel section, Circular links Θ(V+E) admonition with ADR 003 cross-ref, full References section (Shield 8 patterns, Exit Code 2 contract, Three-Pass Pipeline, violation codes table) - arch_gaps.md (EN+IT): ZRT-005 Bootstrap Paradox → Resolved, Genesis Test - architecture.md (EN+IT): new — Iterative DFS O(V+E) Phase 1.5, O(1) Phase 2 - advanced.md (EN+IT): explicit anchor alignment for shield-behaviour - screenshot.svg: homepage hero — Full Spectrum Report - screenshot-blood.svg / screenshot-circular.svg: new terminal SVG screenshots - INTERNAL_GLOSSARY.toml: canonical EN/IT term registry - mkdocs.yml: Pipeline Architecture added to internal nav
…nfo, hex shield - validator.py: iterative DFS CIRCULAR_LINK detection (Θ(V+E)); Blood Sentinel PATH_TRAVERSAL_SUSPICIOUS → exit code 3 - reporter.py: incidents_count for security_incident; blood-red summary badge; show_info filter with suppression note - cli.py: --show-info on all 7 check commands; Shield block in init template - shield.py: hex-encoded-payload pattern (3+ consecutive \xNN sequences) - ui.py: BLOOD palette constant - test_validator.py: CIRCULAR_LINK tests, Blood Sentinel, anchor torture fixture converted from ring to linear chain (avoids CIRCULAR_LINK noise)
- test_cli.py: TestShowInfoFilter (suppressed by default, shown with --show-info, check-all flag accepted via 9-patch integration test) - test_references.py: hex-encoded-payload Shield pattern coverage
- Shield block (8 pattern families, exit code contract) in all 9 example toml - safety_demonstration.md: circular link + hex payload for live Sentinel testing
- CHANGELOG.md / CHANGELOG.it.md: [0.5.0a4] — Blood Sentinel, Graph Integrity Θ(V+E), Hex Shield, --show-info, info suppression, ZRT-005 fix - RELEASE.md: 7-section pre-release audit checklist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
directories (
/etc/,/root/,/var/…) are classified assecurity_incidentand exit with code 3 — highest priority, never suppressed by
--exit-zeroadjacency graph;
CIRCULAR_LINKreported at severityinfo(never blocks CI);every Phase 2 per-link lookup is O(1)
\xNNescape sequences (obfuscated payloads in docs source)
--show-info):infofindings suppressed by default witha footer count; opt-in via
--show-infoon all 7 check commandszenzic initworks correctly in an emptydirectory; generated
zenzic.tomlincludes commented Shield blockChanges
Engine
validator.py: iterative DFS CIRCULAR_LINK + PATH_TRAVERSAL_SUSPICIOUS → exit 3reporter.py:incidents_countforsecurity_incident; blood-red badge;show_info=Falsefilter with suppression footer notecli.py:--show-infoon all 7 commands; Shield comment block ininittemplateshield.py:hex-encoded-payloadpatternui.py:BLOODpalette constantTests
TestShowInfoFilter(3 tests): suppressed by default,--show-info, CLI flagDocs (EN + IT)
checks.md: Blood Sentinel section, Circular links Θ(V+E), fullReferencessection documenting Shield 8-pattern families and Exit Code 2 contract
architecture.md(new): Iterative DFS O(V+E) design, O(1) Phase 2 lookuparch_gaps.md: ZRT-005 moved to Resolved with Genesis Test verificationINTERNAL_GLOSSARY.toml: canonical EN/IT term registryzenzic.tomlfilessafety_demonstration.md: live Sentinel demo without custom MarkdownTest plan
just preflightgreen (ruff, mypy, 759 pytest, REUSE, zenzic self-check)zenzic initin empty directory — ZRT-005 Genesis TestPATH_TRAVERSAL_SUSPICIOUS--show-infodisplays CIRCULAR_LINK; default hides with suppression note